Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b78b754d authored by Jeff Sharkey's avatar Jeff Sharkey
Browse files

Enforce file transfer restrictions for shell. 

If we have a policy that says DISALLOW_USB_FILE_TRANSFER, then block
file transfers for that user through common ContentProviders.

Test: builds, boots
Bug: 64672411
Change-Id: I502b10c2c229727bc6b421f9db6d2d9e2e03845c
parent 60de82d1

packages/ExternalStorageProvider/src/com/android/externalstorage/ExternalStorageProvider.java

+27 −2
Original line number Diff line number Diff line
@@ -19,7 +19,6 @@ package com.android.externalstorage; 
import android.annotation.Nullable;

import android.app.usage.StorageStatsManager;

import android.content.ContentResolver;

import android.content.Context;

import android.content.UriPermission;

import android.database.Cursor;

import android.database.MatrixCursor;
@@ -28,7 +27,9 @@ import android.net.Uri; 
import android.os.Binder;

import android.os.Bundle;

import android.os.Environment;

import android.os.IBinder;

import android.os.UserHandle;

import android.os.UserManager;

import android.os.storage.DiskInfo;

import android.os.storage.StorageManager;

import android.os.storage.VolumeInfo;
@@ -95,6 +96,7 @@ public class ExternalStorageProvider extends FileSystemProvider { 
    private static final String ROOT_ID_HOME = "home";



    private StorageManager mStorageManager;

    private UserManager mUserManager;



    private final Object mRootsLock = new Object();
@@ -105,12 +107,35 @@ public class ExternalStorageProvider extends FileSystemProvider { 
    public boolean onCreate() {

        super.onCreate(DEFAULT_DOCUMENT_PROJECTION);



        mStorageManager = (StorageManager) getContext().getSystemService(Context.STORAGE_SERVICE);

        mStorageManager = getContext().getSystemService(StorageManager.class);

        mUserManager = getContext().getSystemService(UserManager.class);



        updateVolumes();

        return true;

    }



    private void enforceShellRestrictions() {

        if (UserHandle.getCallingAppId() == android.os.Process.SHELL_UID

                && mUserManager.hasUserRestriction(UserManager.DISALLOW_USB_FILE_TRANSFER)) {

            throw new SecurityException(

                    "Shell user cannot access files for user " + UserHandle.myUserId());

        }

    }



    @Override

    protected int enforceReadPermissionInner(Uri uri, String callingPkg, IBinder callerToken)

            throws SecurityException {

        enforceShellRestrictions();

        return super.enforceReadPermissionInner(uri, callingPkg, callerToken);

    }



    @Override

    protected int enforceWritePermissionInner(Uri uri, String callingPkg, IBinder callerToken)

            throws SecurityException {

        enforceShellRestrictions();

        return super.enforceWritePermissionInner(uri, callingPkg, callerToken);

    }



    public void updateVolumes() {

        synchronized (mRootsLock) {

            updateVolumesLocked();